CVE-2024-20251

Description

The vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack against a user of the interface on an affected device.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Proof-of-concept

1. Log-in as any low privileged user
2. In the network devices tab click on any colored part of the char
3. You will be taken to https:///admin/#pulloutLandingPage?pulloutView=cisco/ise/features/visibility/matrixviews/views/DevicesMatrixView, now choose any device from the list and export it using the "Export selected" option. In the next window choose "Importable only".
4. Open exported file with any text editor and change User-Name to
   "AAAA<img src='' onerror=alert(document.domain)>"
5. Upload modified file using the "Import" > "Import From File" functionality
6. Now locate the device in the list of devices and press it's name (it's worth to note that this payload can be fired also as an admin user).
7. The XSS payload will execute

Timeline

• 19-07-2023 - Vulnerability reported to vendor
• 19-07-2023 - First response from the vendor
• 10-01-2024 - Security advisory is published by the vendor
• 13-05-2025 - PoC published

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ISE-XSS-bL4VTML
https://www.cve.org/CVERecord?id=CVE-2024-20251